Website Hacked? What To Do (And What Not To Do)

First: This Is Normal

If your website got hacked, you're not alone. You didn't necessarily do anything wrong. And it's not the end of the world.

Website compromises are common, especially for older sites running on shared hosting. Automated bots scan millions of sites daily looking for outdated software. When they find a vulnerability, they exploit it automatically.

This isn't personal. It's not targeted. It's just the reality of running a website on the internet.

The key is recognizing what happened, not panicking, and fixing it correctly.

First Signs Your Website Is Compromised

Here's what a hacked website typically looks like:

Spam Redirects

You visit your site and it redirects to pharmacy spam, fake product pages, or adult content. Sometimes this only happens on certain pages or only to visitors from search engines.

Search Results Look Wrong

You Google your business name and the search result shows weird titles or descriptions—usually pharmaceutical spam, casino links, or other garbage you definitely didn't write.

Hosting Account Suspension

You get an email from your hosting provider saying your account has been suspended for sending spam, hosting malware, or consuming excessive resources.

Login Failures

Your admin password no longer works. You try password reset and either it doesn't work or you never receive the email. You've been locked out of your own site.

Slow or Unstable Performance

The site suddenly loads extremely slowly or crashes entirely. Pages time out. The server becomes unresponsive.

This can happen when malware is using your server resources to send spam, mine cryptocurrency, or participate in DDoS attacks.

Strange Files or Code

If you know where to look, you might find files with gibberish names, unknown admin accounts, or injected code in your theme files or database.

What NOT To Do

When you realize your site is hacked, panic usually makes things worse. Here are the most common mistakes:

Don't Start Deleting Random Files

You might think, "I'll just delete everything suspicious." But unless you know exactly what you're deleting, you're likely to break your site even more.

Malware often hides in legitimate-looking files. Deleting the wrong thing can take your site from "hacked but functional" to "completely broken."

Don't Install Five Security Plugins at Once

Installing multiple security plugins simultaneously can cause conflicts, false positives, and performance problems. You might also lock yourself out completely.

Security plugins have their place, but during an active compromise, they're not the first move.

Don't Restore Unknown Backups Repeatedly

Restoring from backup sounds logical. But if you don't know when the compromise happened, you might be restoring an already-infected version of your site.

Worse, if the vulnerability that got you hacked in the first place is still present, you'll just get hacked again immediately.

Don't Give Admin Access to Random "Fix My Site" Emails

You'll probably get emails offering to fix your hacked site. Some are legitimate. Many are scams looking to steal more credentials or infect your site further.

If you didn't contact them first, be very skeptical.

Don't Assume Your Hosting Provider Fixed Everything

If your hosting provider suspended your account and then reinstated it, they probably just removed the most obvious malicious files to stop the immediate abuse.

They didn't necessarily clean the entire infection, patch the vulnerability, or prevent it from happening again. That's on you.

Why Hacks Were So Common (2010-2016)

If you're wondering why this happened to you, here's some context.

Between roughly 2010 and 2016, WordPress compromises were extremely common. Here's why:

Explosive WordPress growth. WordPress went from a niche blogging platform to powering 25%+ of the web. That made it a massive target.

Plugin ecosystem chaos. Thousands of plugins were being developed by people with varying levels of security knowledge. Vulnerable plugins were everywhere.

Weak shared hosting isolation. Budget shared hosting often didn't properly isolate customer accounts. One compromised site could infect dozens of others on the same server.

Poor update habits. Many site owners installed WordPress and never updated it. Automated bots scanned for outdated versions and exploited known vulnerabilities.

Constant bot scanning. Bots were (and still are) constantly scanning the web for vulnerable sites. They check for outdated software, weak passwords, and known exploits 24/7.

Things have improved significantly since then. WordPress core security is better. Hosting providers have improved isolation. Security plugins are smarter. Auto-updates exist.

But the fundamentals haven't changed. If you run outdated software on the internet, you will eventually get compromised.

How I Approach a Hacked Site

When I work on a compromised site, here's my philosophy:

Understand Before Acting

I don't start deleting files or running cleanup scripts immediately. First, I figure out what actually happened.

What got compromised? How deep does it go? When did it happen? Is it still actively spreading?

Preserve Evidence

Sometimes you need to know how the compromise happened to prevent it from happening again. That means preserving evidence before cleanup.

Log files, access logs, file modification dates—all useful for understanding the attack vector.

Fix Root Causes, Not Just Symptoms

Removing malware files is pointless if the vulnerability that allowed them in is still present. You'll just get reinfected.

The actual fix involves patching the vulnerability, securing access, and then cleaning up the infection.

Balance Speed With Correctness

Emergency situations require fast action, but not reckless action. I move quickly, but I don't skip steps that matter.

Containment happens fast. Cleanup happens carefully.

Recovery vs. Rebuild — How the Decision Is Made

Not every hacked site should be cleaned and recovered. Sometimes rebuilding is the smarter move.

When Cleanup Makes Sense

• The infection is recent and relatively contained
• You have clean backups from before the compromise
• The site is otherwise modern and well-maintained
• Downtime needs to be minimized

When Rebuilding Is Smarter

• The infection is old and deeply embedded
• The site is already outdated and difficult to maintain
• You don't trust that cleanup will be thorough enough
• You were already considering a redesign anyway

Cost vs. Risk Tradeoffs

Cleanup is usually faster and cheaper short-term. Rebuilding costs more upfront but gives you a clean slate.

If cleanup costs $300 and there's a 20% chance of reinfection, versus a rebuild at $1,200 with minimal reinfection risk, which makes sense?

It depends on your situation, your budget, and your tolerance for ongoing security headaches.

After the Fix: Keeping It From Happening Again

Once your site is clean, here's how to reduce the chances of it happening again:

Keep Everything Updated

WordPress core, themes, plugins—keep them current. Enable auto-updates for minor releases if your host supports it.

Outdated software is the number one reason sites get hacked.

Have Real Backups

Not just backups that live on the same server as your site. Offsite backups. Backups you've actually tested restoring from.

If you get hacked and don't have backups, your options are much more limited.

Fewer Plugins Is Better

Every plugin is a potential vulnerability. Only use plugins you actually need. Delete ones you're not using.

One well-maintained plugin is better than three sketchy ones that do similar things.

Better Hosting If Possible

Cheap shared hosting isn't inherently bad, but security and isolation vary wildly. If you're getting hacked repeatedly on budget hosting, it might be time to upgrade.

Good managed WordPress hosting costs more, but it usually includes better security, automated backups, and staging environments.

Basic Monitoring

You don't need expensive enterprise monitoring. Just something that alerts you if your site goes down or gets flagged by Google.

The faster you catch a compromise, the easier it is to fix.

When to Call for Help

You should call for help if:

• You're completely locked out and can't regain access
• Your hosting account has been suspended
• There's any risk to customer data (contact forms, e-commerce, etc.)
• Google has blacklisted your site
• Time matters more than learning how to fix it yourself

Some people want to learn how to handle this themselves. That's fine. But if your business is losing money every hour your site is down, paying someone who's done this hundreds of times is usually the right call.

If you're worried about Google rankings during recovery, read Will This Hurt My Google Ranking? for what actually damages SEO vs. what you can safely ignore.

Final Thoughts

Getting hacked doesn't mean you're bad at running a website. It means you're running a website on the internet, where automated attacks are constant.

The right response isn't panic. It's methodical cleanup, patching the vulnerability, and taking reasonable steps to prevent it from happening again.

If you need help, get help. If you want to handle it yourself, take your time and do it right.